Norm on Internal Control and Internal Audit of Securities Entities

Page 1 of 21 Resolution No. CD-SIBOIF-1088-6-DIC6-2018 Dated December 6, 2018

NORM ON INTERNAL CONTROL AND INTERNAL AUDIT OF SECURITIES ENTITIES

The Board of Directors of the Superintendence of Banks and Other Financial Institutions,

CONSIDERING

I That Article 6, letter e) of Law No. 587, Capital Markets Law, published in La Gaceta, Official Gazette No. 222 of November 15, 2006, expresses as a function of the Board of Directors of the Superintendence to establish, in a general manner, accounting and audit standards, in accordance with best practices in this matter;

II That the work carried out by internal audit units in periodically evaluating the degree of efficiency and effectiveness of the internal control systems implemented by supervised financial institutions and verifying their compliance by the members of said institutions constitutes a fundamental mechanism of support for the supervision and control carried out by this Superintendence; therefore, it is necessary to establish and update the minimum criteria required for their exercise in accordance with international standards and best practices;

III That in accordance with the foregoing and based on the powers established in Article 10, items 2) and 10), of Law No. 316, Law of the Superintendence of Banks and Other Financial Institutions, and its reforms; contained in Law No. 974, Law of the Nicaraguan Legal Digest of the Banking and Finance Matter, published in La Gaceta, Official Gazette No. 164, of August 27, 2018, and its reforms.

In exercise of its powers,

HAS ISSUED

The following:

Resolution No. CD-SIBOIF-1088-6-DIC6-2018 NORM ON INTERNAL CONTROL AND INTERNAL AUDIT OF SECURITIES ENTITIES

CHAPTER I GENERAL PROVISIONS

Article 1. Concepts.- For the purposes of this norm, the terms indicated in this article, both in uppercase and lowercase, singular or plural, shall have the following meanings:

a) Unplanned activities: Special examinations that are not foreseen in the annual work plan and that become necessary for the evaluation of the functioning of the internal control system and its different components;

Page 2 of 21 b) Planned activities: Activities authorized by the Board of Directors of the company, which must be executed promptly by the Internal Audit Unit, with the objective of examining, evaluating, and monitoring the adequacy and effectiveness of the internal control system. c) Audit committee or committee: The Audit Committee appointed by the Board of Directors of the company. d) Days: Calendar days, unless expressly stated that it refers to business days; e) Entity or Securities Entity: Stock exchanges, securities depositories, stock exchange seats, investment and securitization fund management companies, and rating agencies constituted in the country. f) Significant events: These are facts that may have a material impact on liquidity, solvency, image, among other aspects of the entity. The materiality of a fact will depend on whether it has the potential to cause an important impact, whether quantitative or qualitative, on an important business line of the company or on its operations in general. To this end, the internal auditor must apply their best professional judgment to determine those facts that they consider may potentially impact the company and require reporting due to their significant nature; g) Institute of Internal Auditors: International association dedicated to the continuous professional development of the internal auditor and the internal audit profession, better known by its English acronym as IIA. h) Board of Directors: The main administrative body of the securities entity. i) General Banking Law: Law 561, General Banking Law, Non-Banking Financial Institutions and Financial Groups, published in the Gaceta Official Gazette No. 232, of November 30, 2005; contained in Law No. 974, Law of the Nicaraguan Legal Digest of the Banking and Finance Matter, published in La Gaceta, Official Gazette No. 164, of August 27, 2018, and its reforms. j) Capital Markets Law: Law No. 587, Capital Markets Law, published in La Gaceta, Official Gazette No. 222 of November 15, 2006; contained in Law No. 974, Law of the Nicaraguan Legal Digest of the Banking and Finance Matter, published in La Gaceta, Official Gazette No. 164, of August 27, 2018, and its reforms. k) Manual: Internal Audit Manual containing the policies, procedures, and audit techniques to be used to evaluate the functioning of the internal control system of the supervised securities entity; l) Accounting Framework: Refers to the Accounting Framework for Financial Institutions of the Securities Market. m) IFRS: International Financial Reporting Standards issued by the International Accounting Standards Board, better known by its English acronym as “IASB”; n) International Standards for the Professional Practice of Internal Audit: Standards

Page 3 of 21 issued by the Institute of Internal Auditors that serve as an international reference in the matter; o) Plan: Annual work plan containing the general guidelines, objectives, scope, and planned activities developed by the internal audit unit during each fiscal year; p) Internal control system: Set of policies, procedures, and control techniques established by the entity to provide reasonable assurance in achieving adequate administrative organization and operational efficiency, reliability of reports flowing from its information systems, appropriate identification and management of the risks it faces in its operations and activities, and compliance with applicable legal provisions; q) Superintendence: Superintendence of Banks and Other Financial Institutions; r) Superintendent: Superintendent of Banks and Other Financial Institutions; s) UAI or Internal Audit Unit: Refers to the internal audit unit under the responsibility of an internal auditor.

Article 2. Object.- The object of this norm is to regulate the scope of internal audits and establish guidelines so that the board of directors of the entities regulated in this norm, through its UAI, permanently safeguards the efficiency and effectiveness of internal control systems and compliance with their regulations with the aim of minimizing risks, using the principles established in this norm and in generally accepted audit techniques and procedures.

Article 3. Scope.- The provisions of this norm are applicable to Stock Exchanges, Securities Depositories, Stock Exchange Seats, Investment and Securitization Fund Management Companies, and Rating Agencies constituted in the country.

CHAPTER II INTERNAL CONTROL

Article 4. Mandatory Nature of Internal Control.- Securities entities are obligated to have an internal control system that, at a minimum, contains a set of policies, procedures, and control techniques established by the entity to provide reasonable assurance in the safeguarding of assets and to achieve adequate administrative organization and operational efficiency, reliability of reports flowing from its information systems, appropriate identification and management of the risks it faces, and compliance with applicable legal provisions.

CHAPTER III BOARD OF DIRECTORS

Article 5. Responsibilities of the Board of Directors.- Regarding internal control, the board of directors of the securities entity is responsible for adopting, at a minimum, the following measures:

Page 4 of 21 a) Establish mechanisms, guidelines, procedures, and policies oriented to establish an adequate internal control system. These measures must include the way to keep board members permanently informed; b) Meet once a month, without prejudice to extraordinary meetings, to address matters that require prompt attention; c) Record in the Minutes Book the agreements and resolutions adopted on the topics addressed, so that the analysis, discussion, and decision-making on said topics can be verified, as well as a follow-up exercise on the implementation of decisions and measures adopted; d) Establish the audit committee and approve the regulations for its functioning; e) Form a UAI under the responsibility of an internal auditor who meets the requirements established in this norm and in the regulations governing the matter on requirements to be a director, general manager and/or chief executive and internal auditor of financial institutions; f) Delimit the functions and responsibilities of the administration, control, and audit bodies; g) Ensure that the UAI develops its functions with absolute technical independence in accordance with the provisions established in this norm; h) Ensure that UAI members are effectively separated from administrative and/or operational functions, improper to the independent function of auditing; i) Ensure that the administration and control bodies implement and execute the provisions established in guidelines and procedures emanating from the board of directors; j) Monitor the effectiveness of the design and functioning of the internal control structure and environment, to determine if it is functioning according to its objectives, and modify it when necessary; k) Take immediate action and adopt necessary corrective measures on any significant situation or finding detected that requires its prevention or correction; l) Ensure that recommendations derived from internal audit reports, external audit, money laundering prevention administrator, and stock exchange supervision are implemented; as well as instructions from the Superintendent; and m) Establish guidelines to ensure that the organizational structure of the securities entity contemplates adequate segregation of functions and avoids potential conflicts of interest between the different units of the same entity.

CHAPTER IV INTERNAL AUDIT UNIT

Article 6. Characteristics of the Audit Unit.- Securities entities must have a UAI, which shall have the following characteristics:

Page 5 of 21 a) It will be headed by an internal auditor appointed in accordance with the requirements established in this norm and in the regulations governing the matter on requirements to be a director, general manager and/or chief executive and internal auditor of financial institutions; b) Its members must be effectively separated from the administrative and operational functions of the company; c) It will depend organically, functionally, and administratively on the board of directors of the entity; d) It will fulfill its functions and objectives in a timely, independent, effective, and efficient manner; e) It will have direct, free, and unrestricted access to all corporate books, among others: those of an accounting nature, share register, board of directors, general shareholders' meetings, and any other committee or working body existing or created in the entity; as well as to records, files, documents stored in any medium, and information on operations that it considers necessary for the exercise of its audit functions. f) It must have appropriate infrastructure and adequate human, technical, and logistical resources commensurate with the magnitude and complexity of the entity's operations, as well as the risks it faces. The board of directors of the entity is responsible for ensuring appropriate conditions for the development of the internal audit function. The internal auditor and other auditors who make up the UAI must receive permanent, continuous, and updated training in matters related to their functions, for which it corresponds to the internal auditor to present the training needs regarding the members of the UAI, indicating the main areas of training and the number of hours required annually, a request that must be presented and discussed in the audit committee and authorized by the board of directors. All information obtained by the UAI is subject to banking secrecy, as provided in Article 113 of the General Banking Law.

Article 7. Functions of the Audit Unit.- The UAI shall have the following minimum functions: a) Evaluate the design, execution, effectiveness, and sufficiency of the internal control system. b) Evaluate compliance with legal and regulatory provisions governing the respective securities entity. c) Evaluate the reliability, confidentiality, availability, effectiveness, integrity, and functionality of information technology and the control mechanisms and usage established by the supervised entity to guarantee its security and protection; d) Evaluate compliance with the entity's policies, procedures, and other internal norms.

Page 6 of 21 e) Conduct permanent follow-up on the implementation and compliance with orders, instructions, and/or recommendations formulated by the Superintendent, by external auditors, by the Stock Exchange supervision, and by the UAI itself. f) In accordance with the audit standards referred to in this norm, it must design the annual work plan to determine the priorities of the internal audit activity and submit it to the board of directors through the audit committee for approval, and send it to the Superintendent for their knowledge. Likewise, comply with the activities programmed in the annual work plan and prepare the respective reports. g) Verify the effectiveness of the internal controls proposed and designed for an operation, service, or product in the stage prior to its launch. h) Evaluate the sufficiency, effectiveness, and compliance of the integrated system for the management and prevention of money laundering, terrorism financing, and financing of the proliferation of weapons of mass destruction risks, for which they must consider the regulations issued by the Superintendence and international best practices in the matter; i) Evaluate the entity's compliance with the application of IFRS in the preparation of its financial reports; j) Evaluate the quality, sufficiency, and timeliness of financial information. k) Verify the organizational structure authorized by the board of directors of the securities entity in relation to the effective segregation of functions and exercise of powers attributed to each of the entity's officials. l) Evaluate compliance with other aspects determined by the board of directors, the audit committee, and the Superintendent.

Article 8. Qualities of the Audit Unit.- The persons who make up the UAI must possess the knowledge, technical aptitudes, experience, and other qualities required to fulfill their responsibilities. Without prejudice to the foregoing, every UAI must have an information systems audit service that collaborates in achieving its functions and objectives. This service must have competent personnel and specific experience in Information Technology auditing appropriate in competencies to the complexity and size of the operations performed by the supervised entity, which may also be subcontracted. The UAI of the entity that is part of a financial group may rely on the UAI of said group to perform the audit on the Information Technology environment and related aspects established in this norm.

Article 9. Subcontracting.- Securities entities may subcontract functions assigned to the UAI in order to access advantages of a technical, resource, methodological nature, among others. This type of subcontracting must comply with what is established in Article 130 of the General Banking Law, with the requirements indicated in this norm, and with what is provided in the regulations governing the matter on contracting service providers for the performance of operations or services on behalf of financial institutions.

Page 7 of 21 Regardless of the level of subcontracting, the internal auditor remains responsible for ensuring that internal audit functions properly and effectively, and in accordance with what is provided in this norm and according to the service agreement or contract signed with the provider. The internal auditor is responsible for supervising compliance with the service contract, ensuring the general quality of activities, reporting to the audit committee, as well as following up on the results of the contracted work. Likewise, in order to avoid possible conflicts of interest, the internal auditor must ensure that personnel subcontracted by the entity does not perform functions other than Internal Audit, such as: accounting services; information systems operation; local network administration; operation, supervision, design, or implementation of computer systems (hardware and software); valuations, appraisals, or estimates; administration; representation and resolution of legal and tax conflicts; personnel recruitment; training; or consulting them.

Article 10. Audit Procedures and Techniques.- The audit procedures and techniques employed by the UAI must comply with the provisions established in this norm and with what is established in the International Standards for the Professional Practice of Internal Audit issued by the Institute of Internal Auditors. Likewise, said audit procedures and techniques must be contained in the respective manual of internal audit procedures and techniques.

CHAPTER V INTERNAL AUDITOR

Article 11. Appointment of the Internal Auditor.- The UAI will be headed by the Internal Auditor, a full-time official with exclusive dedication, whose appointment corresponds to the general shareholders' meeting for a period of three years and may be re-elected. In the case of financial groups, the Superintendent may authorize, upon request and presentation of pertinent justifications, that the Internal Auditor of the responsible coordinator or the controlling company, when it is domiciled in the country, be appointed as Internal Auditor of the securities entities belonging to the financial group. In order to avoid possible conflicts of interest, securities entities may not appoint as internal auditor persons who in the last twelve (12) months have held positions in the accounting area or managerial positions in operational areas or business units, in the same entity.

Article 12. Requirements of the Internal Auditor.- The interested party wishing to provide their services to a securities entity as an internal auditor must meet the qualification criteria and information requirements established in the regulations governing the matter on requirements to be a director, general manager and/or chief executive and internal auditor of financial institutions; as well as the requirements established in this norm. The Superintendent may consider the appointment of an internal auditor who does not meet the minimum requirement of five (5) years of experience at an adequate level of magnitude and complexity of the responsibility to be performed, established in the aforementioned norm, when they meet the following qualities:

Page 8 of 21 a) Have at least three (3) years of experience in auditing financial institutions; and b) Have relevant academic degrees, among others, postgraduate studies, master's degrees, or doctorates related to the position. To prove compliance with the requirements provided for in the aforementioned letters, the financial institution must present the documentation required by the regulation governing the matter on requirements to be a director, general manager and/or chief executive and internal auditor of financial institutions.

Article 13. Responsibilities of the Internal Auditor.- The internal auditor is responsible for complying, at a minimum, with the following: a) Inform in writing to the Superintendent in case of temporary absence from their position for more than thirty (30) days and on any other modification in the composition of the UAI that significantly affects its functioning and independence; b) Verify that practices favoring partners, directors, or administrators of the company do not occur, which could constitute a detriment to the interest of clients. If the existence of any practice of this nature is verified, they must inform it in writing, immediately and simultaneously to the Audit Committee and the Superintendent; c) Communicate the occurrence of significant events immediately, directly, and simultaneously, to the vigilante elected by the general shareholders' meeting, to the Superintendent, to the audit committee, and to the board of directors of the entity. Such communication must be made no later than three (3) days following the knowledge of the facts; d) Ensure compliance with the provisions established in this Norm.

Article 14. Removal of the Internal Auditor.- The removal of the internal auditor before the expiration of their term must have the vote of a majority of two-thirds of shareholders present in the general shareholders' meeting and be submitted to the consideration of the Superintendent for non-objection, indicating the reasons that justify such measure. The Superintendent may request a report from the internal auditor, who must present it no later than on the date indicated to them. After the aforementioned term has elapsed, the Superintendent within eight (8) business days thereafter, by reasoned resolution, will determine what they consider pertinent. In this case, or in case of resignation, the lack of an internal auditor cannot last more than sixty (60) days.

Article 15. Interim Internal Auditor.- With prior authorization from the Superintendent, the UAI may be headed by an interim internal auditor appointed by the general shareholders' meeting, for a period of up to six (6) months, except in the case of removal or resignation of the internal auditor, in which case, the UAI may be under their charge for up to sixty (60) days as provided in the preceding article. The interim internal auditor must meet the same requirements established in this norm for the case of the internal auditor.

Article 16. Prohibition.- Stock exchanges may not appoint their internal auditor as responsible for the supervision process that they must carry out in the stock exchange seats; likewise, it is prohibited for said official to participate in such audits.

CHAPTER VI ANNUAL WORK PLAN

Article 17. Minimum Content of the Annual Work Plan.- The preparation of the annual work plan will be the responsibility of the UAI. The plan

Page 9 of 21 ...